IR 05000277/1992031
| ML20126B820 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom  |
| Issue date: | 12/15/1992 |
| From: | Beall J, Durr J NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I) |
| To: | |
| Shared Package | |
| ML20126B793 | List: |
| References | |
| 50-277-92-31, 50-278-92-31, NUDOCS 9212220220 | |
| Download: ML20126B820 (13) | |
Text
.
U.S. NUCLEAR REGlJLATORY COMMISSION
REGION I
kEPORT/ DOCKET NOS. 50-277/92-31 50-278/92-31 1lCENSE NOS.
Philadelphia Electric Company Wayne, Pennsylvania 19087-0195 FACILITY NAME:
Peach Ibttom Atomic Power Station, Units 2 and 3 INSPECTION AT:
Delta, Pennsylvania INSPECTION DATES:
November 16-20, 1992
INSPECTORS:
Todd 11. Fish, Senior Operations Engineer Roy K. Mathew, Reactor Engineer
/2 /1[*f 2.
TEAM LEADER:
purg J
s E. Ilcall, Team Ixader,
' Dale igineering Ilranch, DRS
'
V
/
AW
/
<//L APPROVED BY:
. wa.us _.
.%
m m.
JacqtpfP. Durr,' Chief, Engineering
/
lhte
~
,
Branch, Division of Reactor Safety Areas Inspecled: Announced inspection by Region I personnel to review the design and procedures used to mitigate the consequences of a cable spreading room fire.
Results: Refer to Executive Summary.
,
.
.
9212220220 921215
,
J PDR ADOCK 05000277
'
G PDR
.-
-
.,..
.-
.
.
.
-
-
.
.
EXECUTIVE SUMM AlW Inspectors conducted hn announced inspection at the Peach Bottom Atomic Power Station during the period November 16-20, 1992. The insp-ctors evaluated the adequacy of the installed equipment and procedural guidance to mitigate the effects of a fire postulated in the cable spreading room, which is located directly beneath the combined control room for both units. That fire location was selected because it would require evacuation of the control room, local operation of equipment, and implementation of alternative shutdown methods.
Overall, the licensee demonstrated a good safety perspective and sound engineering practice.
The licensee's staff was very knowledgeable in the design of the facility and the applicable regulatory requirements. Based upon the sample of design drawings, operating procedures and installation details reviewed, the inspectors concluded that the licensee could successfully mitigate a cable spreading room fire under the postulated conditions. Operators demonstrated, during a simulator scenario, the ability to recognize a cable spreading room fire and the need take appropriate mitigating actions. The licensee's engineering staff also demonstrated the availability of information tools necessary to identify specific cable routing for equipment potentially available to assist in mitigation and recovery.
The Peach Bottom design was determined to be generally resistant to the propagation of damage from a cable spreading room fire. The absence of power cable in that area, the fusing methods employed, and the presence of certain interlocks provided adequate mitigation-of the sample of potential failure mechanisms reviewed. One item involving current transformer design remained unresolved at the close of the inspection.
Two weaknesses in procedures were identified during a simulated fire scenario. The first weakness involved difficulty in transitioning between Special Event procedures. The second weakness involved possible confusion as to the intent of an entry condition. The second weakness was considered to be related to the unresolved design item because the entry condition did not contain any timeliness guidanc L
<
.
.
1.0 INTRODUCTION This inspection was conducted at the Peach llottom Atomic Power Station by a group of NitC personnel to evaluate the effectiveness of the licensee's desigr. and procedures for mitigating the risks associated with a Orc postulated in the cable spreaaing room. The inspection reviewed three general areas: design and installation of equipment, operations procedures for fire scenarios, and probabilistic risk assessment of post-fire plant conditions.
The regulatory requirements associated with fire protection are provided in 10 CFR 50.48 and 10 CFR 50, Appendix R. In general, in areas important to safety, licensecs are required to have a Orc pictection program whose objectives are to prevent fires; to rapidly detect, control, and extinguish Dres that do occur; and to protect sufficient equipment from any postulated fire to safely shut down the plant.
2.0 DESIGN EVAL,UATIONS The inspector reviewed the licensee's design methodology for safe shutdown of Peach llottom 2 and 3 for a postulated Orc in the cable spreading room. Four separate methods (namely A,11, C and D) were available to achieve hot and cold shutdown. Methods A,11 and C required control of safe shutdown equipment from the control room, whereas method D used control from alternative shutdown panels. Method D was the alternative shutdown method used for a catastrophic fire in either the control room, the cable spreading room, the computer room or the emergency shutdown panel area.
In the event of a worst-case fire in any of the above areas, operators would proceed to the alternative control stations to transfer control from the control room by changing the position of the control switches installed in the alternative shutdown panels. This would isolate the portion of each circuit potentially damaged by the Gre from the rest of the circuit. The alternative control stations for Peach llottom are located in the recirculation pump motor.
generator set rooms and the emergency 4 kV switchgear rooms.
2.1 Snfety-Reinted Systems Cable Routing The inspector reviewed a selected sample of key safety systems, the high pressure coolant injection system, the emergency service water system, the automatic depressurization system, and the emergency power system, to verify the adequacy of safe shutdown measures utilized to meet 10 CFR 50, Appendix R requirements. A field walkdown was conducted to verify the as-built conditions of the safe shutdown components. The review indicated that no power cables were installed in the cable spreading room area. The safe shutdown cables were specincally protected in areas where more than one train of safe shutdown equipment was routed. The cable routing, cable protection methods, protective features of safe shutdown circuits, isolation and separation of circuits, and design changes performed to meet the Appendix R requirements reviewed were generally adequate.
I
.
l
.
. - - - - - -
- - - - - - -
-.
_ _ _ _ _ _ _ _ _ _ _ _
_.. _ _
-
-
_. _ _. _ _
_ _ _ _ _
-
_.
-
-
l
'
,
'
,
!
2.2 Fire Detection and Suppression Sptems The inspector reviewed the fire detection and suppression systems provided for the cable spreading room and the control room. The review indicated that the cable sprea. ling room i
and the control room had two independent ionization detector systems to detect Gres. Iloth systems provided an abri and indication in the fire panel and annunciator window located in the control room. The detection systems used a Pyrotronics detection and supervisory system. No suppression systems were provided in the control room. In the cable spreading room, actuation of one detector would provide an alarm in the control room and actuation of
,
any two detectors in the same area would actuate the carbon dioxide (CARDOX) suppression system. The inspector performed a walkdown of the control room and cable spreading room area to verify the installation and design of the CARDOX and Pyrotronics systems. The design and installation of the CARDOX and Pyrotronics systems were acceptable.
2.3 Alternate Shutdown Design The inspector reviewed a sample of design censiderations with respect to the licensce's
'
alternate shutdown methods. The licensee's procedures allowed operators to continue to control all plant equipment from the control room after the identification that a cable spreading room fire was in progress (see Sections 3.2 and 3.3). Subsequent transfer of control at the alternative shutdown panels was assumed to restore full system operability.
The inspector reviewed electrical grounds control, circuit coordination, spurious signal mitigation, emergency diesel generator start control, fault protection and circuit interlocks to determine if safe shutdown components could be damaged by the effects of a cable spreading room fire.
.
The inspector concluded that the licensee had an aggressive de ground detection and elimination program, A review of the previous three years of operating history with respect to grounds in the de system for both units indicated that there had been fewer than five grounds each year and that they had been eliminated within a day or two. During this inspection, no grounds were identified.
I
.
The inspector reviewed the high impedance fauh calculations and circuit coordination to l
assure that the safe shutdown circuits connected to a common bus would not be isolated by j
the cumulative effects of grounds or shorts on associated circuits. No unacceptable conditions l
were noted. Also, a sampling review of circuit coordination of several components in l
different voltage levels indicated that the circuits were coordinated properly.
_
The inspector also examined, on a sampling basis, the spurious signal concerns for the high/ low pressure interfaces, current transformer secondaries and fire instigated actuations.
A review of the licensee's high/ low pressure interface evaluations indicated that the licensee
,
I had locked open the breakers to prevent any spurious operation of the components. A review of the current transformer (CT) secondaries protection indicate'd that the licensee provided isolation / transfer control switches to prevent opening of the current transformer circuits L-
, - - - _
m
.
m.,
.
.
l l
.
.
routed through the cable spreading room. The inspecto was concerned that, if the CT circuits experienced an open circuit before the controls were transferred to the alternate shutdown panels, there was a risk of an overvoltage condition in excess of the cable insulation rating which could cause fires in other areas including potential damage of the switchgear components.
To address the above concern, the licensee provided test data regarding open circuit tests of two cts performed by Brown Bove.i for Limerick Generating Station, Units 1 and 2. The results indicated that peak voltage for full load conditions developed by a 600/5 CT was 283 volts and by a 1200/5 CT was 600 volts. The conclusion was that the cts and cables would not be damaged by the open circuit voltage since the CT and cable insulations ratings were not exceeded. The test results did conclude, however, that a personnel hazard was present. The inspector observed that the cts and circuit routing used at Peach Bottom were different from Limerick (Brown Boveri vs. General Electric). There was no evidence that any analysis or test had been performed for Peach Bottom to evaluate the impact on the safe shutdown circuits and components from open circuit damage in cables routed through the cable spreading room. The inspector also noted that the opcrating procedures did not discuss timeliness of isolation of these circuits to prevent any potential failures. This issue is unresolved pending review of evidence demonstrating that CT circuits at Peach Bottom are protected adequately to prevent any damage to the safe shutdown circuits and components (50-277/92-31-01 and 50 278/92-31-01).
The inspector also reviewed the emergency diesel generator (EDG) chuits to assure that the air start system and de field Dash circuits would not be degraded before the isolation occurred. The review indicated that spurious actuations would not prevent an EDG start from the alternative shutdown panels.
One function of control power is to trip open breakers automatically following an electrical fault so as to isolate the fault and protect other equipment. A cable spreading room Gre
,
would damage control power circuits. Possible effects of damage to control power circuits include loss of breaker fault protection and spurious component actuations. The inspector selected one possible fault scenario caused by the spurious start of a nonsafety 13 kV motor driven pump with its discharge valve shut. Such operation could lead to motor failure with an electrical fault. The inspector questioned the impact of such a fault on the safety-related 4 kV buses, given that a cable spreading room fire had disabled all control power routed through that area. A_ review of applicable design documents showed that the protective circuits for the 4 kV safe shutdown buses were individually fused and were not routed through the cable spreading room area. Therefore, the breakers would be tripped by protective relays to prevent any damage resulting from 13 kV faults. The inspector had no further questions, l
_ ___
.
.
The inspector reviewed the design measures that would prevent spurious actuations, during a cable spreading room fire, that could cause unsupervised paralleling of two sources (EDG and offsite power). Unsupervised paralleling could damage the EDGs or the bus before the controls were transferred to the alternative shutdown panels. The licensee provided documents showing that the 4 kV bus protective circuits and control circuits were powered independently and were not routed through the cable spreading room. The design would protect the buses and the diesels from any fault or any overloading conditions. The inspector also noted that the circuit interlocks were provided to prevent inadvertent closing of the breakers. The interlock circuits were routed through areas other than the cable spreading room. The inspector concluded that the design features were adequate to prevent unsupervised paralleling of two sources.
2.4 Conclusion Generally, the electrical design was found to be adequate to meet the Appendix R requirements for alternate safe shutdown.110 wever, one item remained unresolved regarding the impact of potential opening of current transformer secondaries during a fire. The staff
was found to be very knowledgeable in the design of the facility and in the requirements of Appendix R. The licensee had a good ground detection and climination program for the de system. The detection and suppression systems for the cable spreading / control room areas were found to be adequate.
3.0 PROCEDURE REVIEW The procedures for achieving safe shutdown following an Appendix R fire were similar foi both peach Bottom units. The two units shared a combined control room and a common cable spreading room such that a fire in either of those areas could potentially affect both -
units simultaneously. The four site EDGs were also common to the two units. In the event of a worst case fire with a loss of offsite power, both units would have to exercise their respective shutdown procedures at their own designated alternative shutdown panels. The
'
procedures differ mainly in that Unit'2 would use the "B" EDG as its power supply and Unit 3 would use the "D" EDG. The inspector reviewed the remote shutdown procedure, special event (SE) procedure SE-10. " Plant Shutdown from the Alternative Shutdown Panels," and concluded that it adequately described the required actions.
3.1-Walkdown of Alteruntive Shutdown Procedure The inspector conducted a walkdown of selected portions of SE-10. Discussions with plant operators indicated that they were familiar with the various actions directed by the procedure.
Licensed operators received biennial training on SE-10 as part of the requalification program.
No deficiencies were identified during the SE-10 procedure walkdown.
I
,
I' _
_
_
._ _ _,_
_.
-
_
-
_ __.
, _. _..
_. _ _. _ _
_
___ _ _ _ _ _
_
.
.
The Peach Bottom simulator included a remotely located high pressure coolant injection (IIPCI) alternative shutdown (ASD) panel. Actions taken at the ASD would be reflected in the simulator control room. The inspector considered the modeling of the ASD panel in the simulator to represent a potential strength in that operators could obtain substantial familiarity and experience in operating the equipm:nt from the remote panel without exercising the installed llPCI system.
3.2 Simulator Scenario The inspector utilized the Peach Bottom simulator to evaluate the adequacy of the operating procedures, control room information, and control board displays to respond to an Appendix R fire in tne cable spreading room. - The postulated scenario involved a fire which originated in cables directly below the control room panels. Spurious valve motion and component actuations were inserted, including closure of two main steam isolation valves (MSIVs), which led quickly to an automatic reactor trip and closure of all the MSIVs.
Additional failures were inserted according to the scenario to reflect the continued increase in fire damage. The failures included numerous alarms, gauge failures and spurious panel lights. Control of the HPCI system, the reactor core isolation cooling (RCIC) system, and other key systems was lost from the control room. The cable spreading room smoke alarm was received about five minutes into the scenario followed by automatic CARDOX initiation three minutes later.
The simulator crew adequately addressed the initiating event, reactor scram due to MSIV closure. The appropriate emergency operating procedure (EOP) was promptly entered and ie crew attempted to stabilize the plant using the liPCI sptem. Subsequently, the crew postulated that a carbon dioxide (CARDOX) actuation in the cable spreading room had caused the scram and was also causing the random failures in indicating lights, meters, and recorders. Accordingly, they entered a Special Event procedure, SE-2, "CARDOX Injection into the Cable Spreading Room," to address the event.
Per procedure SE-2, the reactor operator was dispatched to the HPCI ASD panel. From there, the reactor operator took control of the HPCI system and successfully stabilized reactor water level and controlled reactor pressure.
While carrying out the actions directed by SE-2, the crew received a fire alarm for the cable spreading room in response, they entered the Off-Normal procedure for a fire, ON-114.
This procedure, in turn, directed the crew to the Trip procedures, specifically T-325, " Fire in the Cable Spreading Room." From this point until the scenario was stopped, about 30 minutes later, the crew maintained control of reactor water level, reactor pressure, and coordinated fire fighting efforts with the fire brigad I
.
.
8 i
Control room indication and control continued to degrade as simubted fire damage affected j
more and more cables, including cycling the EDGs. With liPCI occessfully maintaining key
'
primary plant parameters stable, operators expressed no urgency to activate the other remote stations.
3.3 Procedure Weaknesses As described below, two weaknesses were identified with respect to proccJurcs during the simulator exercise. The first weakness involved difficulty in transitioning between Special Event procedures and the second concerned potentially vague procedure entry conditions.
While implementing SE-2, which addressed a CARDOX injection into the cable spreading room, the crew confirmed that there was also a fire in the room. In response to this new symptom, the crew determined that they should enter SE-10, " Plant Shutdown From the Alternative Shutdown Panels." llowever, when the crew attempted to transition from SE-2 into SE-10, it became clear that there was no exit step in SE-2 which supported that action.
Moreover, they determined that any transition into SE-10 would be complicated because equipment that SE-10 affected was also addressed in SE-2 (in particular,1-IPCI). They stated that they were concerned that implementing SE-10 might undo what SE-2 had initiated.
Thus, because there did not appear to be a way to simply back out of SE-2, nor a way to implement SE-2 and SE-10 concurrently, the crew felt constrained to stay in SE-2. Since llPCI local operation under SE-2 had been successful in stabilizing the reactor parameters, the operators concluded that there was no urgency to enter SE-10 and that there was time to make a detailed assessment of the two procedures before taking action.
The inspector concluded that the crew's actions were reasonable under the scenario conditions, but the inspector considered the absence of transition guidance to be a procedure weakness. The licensee acknowledged the inspector's concerns and stated that SE-2 and other Special Event procedures would be reviewed for possible enhancements in this area.
The second procedure weakness involved the transition guidance in procedure T-325, concerning implementation of alternative shutdown methods per SE-10. Procedure T-325 contained a step that asked whether "... safe shutdown is jeopardized." If the crew had answered yes to this question, then T-325 directed entry into SE-10. Ilowever, with IIPCI maintaining reactor level and pressure, the crew considered that safe shutdown was not jeopardized. Accordingly, they did not transition into SE-10.
The inspector considered the guidance in T-325 to be a weakness in the procedure.
Discussions with other licensee personnel indicated that the question if "... safe shutdown is -
jeopardized," was interpreted differently by other licensed operators. For example, several individuals stated that, under the simulated conditions, they would have answered the question in the affirmative and entered SE-10. The inspector noted that the scenario contained numerous spurious actuations and other challenges of components which would have been prevented by the controls transfers in SE-10 (see Section 2.0). Many of the features of the
-
-
-
- -.. -.
-.
.
.
.
-
-
-
--
.
.
.
Peach 110ttom design provided adequate mitigation of cable spreading room fire damage effects such that implementation of the controls transfers might not be required promptly.
One design question was unresolved (see Section 2.3) with respect to current transformer design which had the potential to require timely entry into SE-10.
3.4 Conclusions Crew performance during the scenario demonstrated that the EOPs interfaced adequately with fire response procedures and were effective in stabilizing key primary plant parameters after the simulated cable spreading room fire. However, the scenario demonstrated two examples of weakness in procedure guidance. With respect to SE-2, it was not clear how ts exit this procedure if entry into SE-10 was required, nor was it clear how to implernent SE-2 concurrently with SE-10 if that was desired. Regarding T-325, it appeared that there was not a consensus as to what constituted jeopardy to safe shutdown. The T-325 procedure weakness was considered to be related to a concern involving current transformer design.
4.0 TECIINICAL SUPPORT 4.1 Detennination of Potentially Avnllable Equipment The inspector reviewed the information resources that would be used by the lice :see to provide design support for mitigation or recovery actions. In particular, the inspector interviewed some of the engineering personnel who would be in the Technical Support Center (TSC) and who would be tasked to assess the availability of certain components. The inspector selected the high pressure service water (HPSW) pumps for a detailed review.
The TSC personnel demonstrated a good knowledge of alternative methods for providing HPSW flow, should an operating HPSW pump show signs of degradation during an Appendix R fire scenario. The TSC personnel also were able to generate circuit routing information for one selected HPSW pump including physical cable location such that walkdowns could be conducted to confirm cable integrity prior to use. The individuals interviewed did not appear to be certain as to what steps they would recommend prior to manually closing the pump breaker in the absence of control power. The inspector concluded, however, that the necessary information cxisted to support informed decision making and that the tools necessary to extract this information were availabic and understood by the engineering personnel.
4.2 ~
Safe Shutdown Strategies The licensee submitted a fire hazards analysis (FHA) for the Peach Bottom facility in 1977.
The FHA documented licensee measures to meet the applicable regulatory requirements for fire protection. In 1986, the licensee issued a fire protection program (FPP) document which updated the earlier FHA and addressed the regulatory requirements of 10 CFR 50, Appendix R, which was issued subsequent to the FH..
.-
._. -. _ -. -..
.
_
- -
.
- -
.
.
.
.
The FPP outlined four separate methods to safely shutdown a unit affected by a fire. Tables of plant areas contained fire impact assessments including the identification of which shutdown method (s) would be available following a fire in each area. The inspector reviewed the FPP and concluded that it provided sufficient guidance to allow safe shutdown. In pa'ticular, the inspector noted that the FPP adequately detailed the design features and operational measures associated with achieving safe shutdown from outside the control room due to a fire in, for example, the cable spreading room.
The inspector used the licensee's Probabilistic Risk Assessment (PRA) to quantify the risk of core damage given that fire damage had limited the plant to a single shutdown method. The risk values were generated separately for all four shutdown methods. The risk values for three of the four methods were essentially identical and represented an increase of about three orders in magnitude from the selected baseline of a reactor trip due to closure of the main steam isolation valves. The inspector discussed the values with the cognizant licensee engineers and concluded that the risk increase was consistent with the level of postulated fire damage and the conservatism of the assumptions.
One shutdown method appeared to represent an additional one order of magnitude risk of core damage. This method (" Method C" in the FPP) assumed that neither the llPCI nor the RCIC system was available and that operator action would be required to depressurire the plant to allow low pressure systems to inject water into the reactor vessel. The inspector discussed the results with the licensee and determined that this analysis result was greatly dependent upon assumptions with respect to operator error. Changes in assumptions such as proper, timely procedure adherence produced risk values two or more orders of magnitude better than the other shutdown methods.
l In summary, the FPP provided adequate guidance on methods that could be used to achieve safe shutdown following a fire. The FPP methods were deterrnined to be generally equivalent in terms of risk with the only apparent exception due to human error analysis
,
'
assumptions.
5.0 CONCLUSIONS Overall, the licensec demonstrated a good safety perspective and sound engineering practice.
Based upon the sample of design drawings, operating procedures and installation details reviewed, the inspectors concluded that the licensee could successfully mitigate a cable l
spreading room fire under the postulated conditions. Operators demonstrated, during a l
simulator sceaario, the ability to recognize a cable spreading room fire and to use plant-procedures to mitigate the event. The licensee's engineering staff also demonstrated the
'
availability of information tools necessary to identify specific cable routing for equipment potentially available to assist in mitigation and recovery.
!
'
-
.
-
-
.-
-
-,
.-
....
......
.
.
One item remained unresolved at the close of the inspection involving current transformer design. The concern was that a fire could damage cables to current transformers such that the transformers could fail and damage components needed for safe shutdown. The design question is discussed in Section 2.3, while the procedure aspect of whether there is a need to promptly isolate the potentially affected circuits is discussed in Section 3.2.
_
b
,
-
.
-
- - - _ _ _
_ _ _ _ _ _ _ _ _ - - _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _
_
__
____
__
_
_ _ _ _ _ _ _ _ _ _ _
,
.
NITACIIMENT 1 Persons Contacted Philadelobla Electric Company C. Behrend Operations - Shift Supervisor J. Coyle Electrical Systems Branch Head - Technical Section
W. Coyle NED - Engineering Programs & Standards Manager
B. Eckman Nuclear Quality Assurance - Auditor
B. Ewin Operations Support Ilranch Head
D. Foss Regulatory Engineer
A. Fulvio Regulatory Supervisor
T. Furlong Fire Protection Supervisor
R. Gambone Nuclear Steam Supply Systems Branch Head G. Gellrich Shift Operations Manager
J. H alt NED - Reliability and Risk Assessment Branch - Engineer
D. Ilildebrand Operations - Reactor Operator E. Kraft Operations - Reactor Operator A. Marie NED - Engineering Programs & Standards Branch Head D. McClellan Supervisor Operations Training
R. McKinley Operations Support Branch Engineer
-
D. McRoberts Operations - Shift Manager B. Merryman Operations - Reactor Operator D. Meyers Technical Section - Superintendent
11. Nelle Nuclear Quality Assurance - Auditor
K. Patek License Operator Requalification Training - Sr. Instructor.
K. Powers Plant Division - Manager
M. Pratt Manager - Quality (PBAPS)
M. Reitmeyer Site Engineering - Electrical /l&C - Ilranch Head
R. Smith Regulatory Inspection and Environmental Engineer
htblic Service Electric and Gas CompaDy P. Ott Site Representative
U.S. Nuclear Reculatory Commission P. Bonnet Resident inspector M. Evans Resident Inspector B. Korona Reactor Engineer
J. Lyash Senior Resident Inspector
Denotes personnel present at the exit meeting on November 20,1992. Other persons
were also contacted.
.
.-. -
-
_
.
-_
--
-
..
. -.